Shorewall users - Jun 2009 - Redirect port 80 away from Shorewall?

Hi There,

Due to shortage computer, I need to install Apache to my Shorewall box
(192.168.1.1)
But the real web server is on another box (192.168.1.2)
I tried to put rule:

DNAT net loc:192.168.168.1 tcp 80

But everytime www connection coming in, it will hit my shorewall

Any solution?

Cheer



      Access Yahoo!7 Mail on your mobile. Anytime. Anywhere.
Show me how: http://au.mobile.yahoo.com/mail

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Phillipus Gunawan wrote:
> Hi There,
> 
> Due to shortage computer, I need to install Apache to my Shorewall box
(192.168.1.1)
> But the real web server is on another box (192.168.1.2)
> I tried to put rule:
> 
> DNAT net loc:192.168.168.1 tcp 80
> 
> But everytime www connection coming in, it will hit my shorewall
> 
> Any solution?
Sorry -- I don''t fully understand the problem.

Do you also have this rule to forward web traffic to 192.168.1.2?

	DNAT	net	loc:192.168.1.2	tcp	80

If so, then to access the web server on the Shorewall system, you need
to either always use it''s internal IP address (192.168.1.1) or you need
to forward a different port to it such as:

	REDIRECT	net	80	tcp	81

Hope this helps,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Thanks for your reply
Yes, I did put:
DNAT net loc:192.168.1.2 tcp 80
(typo mistake, it should 192.168.1.2 -not- 192.168.168.2)

When I type my external IP from my ISP, it will hit the Apache on Shorewall
(192.168.1.1)
Where is should  hit my Apache on the other box (192.168.1.2)

Cheers



----- Original Message ----
From: Tom Eastep <teastep@shorewall.net>
To: Shorewall Users <shorewall-users@lists.sourceforge.net>
Sent: Friday, 19 June, 2009 2:12:09 AM
Subject: Re: [Shorewall-users] Redirect port 80 away from Shorewall?

Phillipus Gunawan wrote:
> Hi There,
> 
> Due to shortage computer, I need to install Apache to my Shorewall box
(192.168.1.1)
> But the real web server is on another box (192.168.1.2)
> I tried to put rule:
> 
> DNAT net loc:192.168.168.1 tcp 80
> 
> But everytime www connection coming in, it will hit my shorewall
> 
> Any solution?
Sorry -- I don''t fully understand the problem.

Do you also have this rule to forward web traffic to 192.168.1.2?

    DNAT    net    loc:192.168.1.2    tcp    80

If so, then to access the web server on the Shorewall system, you need
to either always use it''s internal IP address (192.168.1.1) or you need
to forward a different port to it such as:

    REDIRECT    net    80    tcp    81

Hope this helps,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,        \ died peacefully in his sleep. Not screaming like
Washington, USA    \ all of the passengers in his car
http://shorewall.net \________________________________________________


      Access Yahoo!7 Mail on your mobile. Anytime. Anywhere.
Show me how: http://au.mobile.yahoo.com/mail

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Phillipus Gunawan wrote:
> Thanks for your reply
> Yes, I did put:
> DNAT net loc:192.168.1.2 tcp 80
> (typo mistake, it should 192.168.1.2 -not- 192.168.168.2)
> 
> When I type my external IP from my ISP, it will hit the Apache on Shorewall
(192.168.1.1)
> Where is should  hit my Apache on the other box (192.168.1.2)
Where are you testing from? Not the local network, I hope

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Hi,

Shorewall ver 4.2.9
Shorewall.conf perl

If I have the line below I get the following error ''ERROR:
Invalid/Unknown tcp port/service (!443) : /etc/shorewall/rules (line
130)''.

REDIRECT    dmz            3128        tcp    !443

This works fine if I am using shorewall.conf = shell.

Is there another way to get around this using perl.
I need to redirect all tcp ports on the dmz to 3128, except 443.

Thanks.



_________________________________________________________________
Get 30 Free Emoticons for your Windows Live Messenger
http://www.livemessenger-emoticons.com/funfamily/en-ie/

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

P H wrote:
> Hi,
> 
> Shorewall ver 4.2.9
> Shorewall.conf perl
> 
> If I have the line below I get the following error ''ERROR:
> Invalid/Unknown tcp port/service (!443) : /etc/shorewall/rules (line
130)''.
> 
> REDIRECT    dmz            3128        tcp    !443
> 
> This works fine if I am using shorewall.conf = shell.
> 
> Is there another way to get around this using perl.
> I need to redirect all tcp ports on the dmz to 3128, except 443.
This defect is corrected in Shorewall 4.4. In the meantime, insert a
NONAT rule before the REDIRECT rule:

NONAT	     dmz             -          tcp     443

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

> Date: Thu, 18 Jun 2009 20:16:49 -0700
> From: teastep@shorewall.net
> To: shorewall-users@lists.sourceforge.net
> Subject: Re: [Shorewall-users] Redirect failing
> 
> P H wrote:
> > Hi,
> > 
> > Shorewall ver 4.2.9
> > Shorewall.conf perl
> > 
> > If I have the line below I get the following error ''ERROR:
> > Invalid/Unknown tcp port/service (!443) : /etc/shorewall/rules (line
130)''.
> > 
> > REDIRECT    dmz            3128        tcp    !443
> > 
> > This works fine if I am using shorewall.conf = shell.
> > 
> > Is there another way to get around this using perl.
> > I need to redirect all tcp ports on the dmz to 3128, except 443.
> 
> This defect is corrected in Shorewall 4.4. In the meantime, insert a
> NONAT rule before the REDIRECT rule:
> 
> NONAT	     dmz             -          tcp     443
> 
> -Tom
> -- 
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> 
Thank you

_________________________________________________________________
See all the ways you can stay connected to friends and family
http://www.microsoft.com/windows/windowslive/default.aspx

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Hi,
 
Shorewall ver 4.2.9
Shorewall.conf perl

I am changing from SHELL to PERL.

/etc/shorewall/interfaces

#ZONE    INTERFACE    BROADCAST    OPTIONS
net         ppp0        detect        routefilter,norfc1918,tcpflags,blacklist
modem    eth0        detect
loc          eth1        10.10.1.255    tcpflags,dhcp
dmz        eth2        10.10.3.255    tcpflags,dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


I am getting these errors when running shorewall start.

Compiling /etc/shorewall/interfaces...
   WARNING: Shorewall no longer uses broadcast addresses in rule generation when
Address Type Match is available : /etc/shorewall/interfaces (line 13)
   WARNING: Shorewall no longer uses broadcast addresses in rule generation when
Address Type Match is available : /etc/shorewall/interfaces (line 14)

Compiling /etc/shorewall/blacklist...
Adding rules for DHCP
   WARNING: The ''norfc1918'' option is deprecated
Compiling /usr/share/shorewall/rfc1918...

For the first 2 errors in the interfaces, is it ok to change it to.

#ZONE    INTERFACE    BROADCAST    OPTIONS
net         ppp0        detect        routefilter,norfc1918,tcpflags,blacklist
modem    eth0        detect
loc          eth1        detect        tcpflags,dhcp
dmz        eth2        detect        tcpflags,dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

As for the WARNING: The ''norfc1918'' option is deprecated, how
can this be fixed.

Thank you.




_________________________________________________________________
Get 30 Free Emoticons for your Windows Live Messenger
http://www.livemessenger-emoticons.com/funfamily/en-ie/

------------------------------------------------------------------------------
Are you an open source citizen? Join us for the Open Source Bridge conference!
Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250.
Need another reason to go? 24-hour hacker lounge. Register today!
http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org

P H wrote:
> Hi,
>  
> Shorewall ver 4.2.9
> Shorewall.conf perl
> 
> I am changing from SHELL to PERL.
> 
> /etc/shorewall/interfaces
> 
> #ZONE    INTERFACE    BROADCAST    OPTIONS
> net         ppp0        detect       
> routefilter,norfc1918,tcpflags,blacklist
> modem    eth0        detect
> loc          eth1        10.10.1.255    tcpflags,dhcp
> dmz        eth2        10.10.3.255    tcpflags,dhcp
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> 
> I am getting these errors when running shorewall start.
> 
> Compiling /etc/shorewall/interfaces...
>    WARNING: Shorewall no longer uses broadcast addresses in rule
> generation when Address Type Match is available :
> /etc/shorewall/interfaces (line 13)
>    WARNING: Shorewall no longer uses broadcast addresses in rule
> generation when Address Type Match is available :
> /etc/shorewall/interfaces (line 14)
> 
> Compiling /etc/shorewall/blacklist...
> Adding rules for DHCP
>    WARNING: The ''norfc1918'' option is deprecated
> Compiling /usr/share/shorewall/rfc1918...
> 
> For the first 2 errors in the interfaces, is it ok to change it to.
> 
> #ZONE    INTERFACE    BROADCAST    OPTIONS
> net         ppp0        detect       
> routefilter,norfc1918,tcpflags,blacklist
> modem    eth0        detect
> loc          eth1        detect        tcpflags,dhcp
> dmz        eth2        detect        tcpflags,dhcp
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> As for the WARNING: The ''norfc1918'' option is deprecated,
how can this
> be fixed.
Remove the ''norfc1918'' option.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Are you an open source citizen? Join us for the Open Source Bridge conference!
Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250.
Need another reason to go? 24-hour hacker lounge. Register today!
http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org

> Date: Sun, 21 Jun 2009 06:15:47 -0700
> From: teastep@shorewall.net
> To: shorewall-users@lists.sourceforge.net
> Subject: Re: [Shorewall-users] Error in interfaces when changing from shell
to	perl
> 
> P H wrote:
> > Hi,
> >  
> > Shorewall ver 4.2.9
> > Shorewall.conf perl
> > 
> > I am changing from SHELL to PERL.
> > 
> > /etc/shorewall/interfaces
> > 
> > #ZONE    INTERFACE    BROADCAST    OPTIONS
> > net         ppp0        detect       
> > routefilter,norfc1918,tcpflags,blacklist
> > modem    eth0        detect
> > loc          eth1        10.10.1.255    tcpflags,dhcp
> > dmz        eth2        10.10.3.255    tcpflags,dhcp
> > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> > 
> > 
> > I am getting these errors when running shorewall start.
> > 
> > Compiling /etc/shorewall/interfaces...
> >    WARNING: Shorewall no longer uses broadcast addresses in rule
> > generation when Address Type Match is available :
> > /etc/shorewall/interfaces (line 13)
> >    WARNING: Shorewall no longer uses broadcast addresses in rule
> > generation when Address Type Match is available :
> > /etc/shorewall/interfaces (line 14)
> > 
> > Compiling /etc/shorewall/blacklist...
> > Adding rules for DHCP
> >    WARNING: The ''norfc1918'' option is deprecated
> > Compiling /usr/share/shorewall/rfc1918...
> > 
> > For the first 2 errors in the interfaces, is it ok to change it to.
> > 
> > #ZONE    INTERFACE    BROADCAST    OPTIONS
> > net         ppp0        detect       
> > routefilter,norfc1918,tcpflags,blacklist
> > modem    eth0        detect
> > loc          eth1        detect        tcpflags,dhcp
> > dmz        eth2        detect        tcpflags,dhcp
> > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> > 
> > As for the WARNING: The ''norfc1918'' option is
deprecated, how can this
> > be fixed.
> 
> Remove the ''norfc1918'' option.
> 
> -Tom
> -- 
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> 
Thank you.


_________________________________________________________________
Get 30 Free Emoticons for your Windows Live Messenger
http://www.livemessenger-emoticons.com/funfamily/en-ie/

------------------------------------------------------------------------------
Are you an open source citizen? Join us for the Open Source Bridge conference!
Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250.
Need another reason to go? 24-hour hacker lounge. Register today!
http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org